5 steps to getting serious about law firm cyber security

Law firms have a clear duty of care with respect to the sensitive information they hold about their clients and the matters they’re working on.

Last week, as part of our contribution to Cyber Security Awareness Month, we wrote about the seriousness of the cybercrime threat facing law firms. In particular, we noted that one of the downsides of going paperless is that many more documents are potentially accessible to hackers.

It’s not an idle threat. Earlier this year, for example, almost 50 of the biggest corporate law firms in the United States were targeted by a Russian hacking collective aiming to steal information that they might use for insider trading.

Why did the hackers target law firms? Surely, one would think, they’d go after the bigger fish — like the banks. Some speculate they saw underprepared law firms are a soft target. The Russian incident has spurred many of the largest firms into action. Does that mean that smaller businesses are now under threat?

Fortunately, the risk of many cyber threats can be mitigated by taking some simple preventative measures. Here are five to get you started.

#1. Use two-factor authentication to protect your most sensitive documents

Two-factor authentication means using something you know (e.g. a password) and something you have (typically your phone) to log into your account. When you enable two-factor authentication, you’ll have to enter your password and a randomly generated code that is sent to you by text or email.

You ought to be using two-factor authentication with your most critical online accounts. Yes, it can be a pain since it’s a little slower and more cumbersome than just entering a single password (which is perhaps why, according to a survey by the International Legal Technology Association, fewer than two in 10 firms require it). However, it’s a relatively easy way to improve security drastically.

Unfortunately, software and app makers don’t always make it obvious when two-factor authentication is available. The website twofactorauth.org contains a useful, and mostly up to date, list.

#2. Never share or “re-purpose” logins and passwords

Can you be certain exactly how many people know your password to your firm’s systems? Password sharing is a very serious issue. Employees share their login credentials with each other all the time, often because they need to give colleagues access to a key system or because they’re away and it’s too much hassle (or too expensive) to create a new login.

In fact, in a recent survey of hundreds of IT professionals in the U.S. and the U.K., 19% responded that they knew password sharing was taking place. Some even reported that it was so widespread that passwords were being left lying around, written on post-it notes or stuck to monitors.

A related concern is the re-purposing of logins. This occurs when an employee leaves and, rather than removing their login and creating a new set of credentials, the remaining staff simply continue to use their former colleague’s login. Not only can you not be certain of who now has access, but you may be missing out on crucial information and updates if the email address or on file is incorrect.

Never share passwords and create new, individual logins for each member of staff requiring access. With many systems, such as One Legal, it’s completely free to add more people to your account (take a look at our support center for details).

#3. Choose better passwords

Your password is often the first — and also quite frequently the last — line of defense when it comes to data security. That’s because hackers have become adept at cracking passwords. What, though, constitutes a secure password?

Your password should contain at least eight characters, and ideally a few more than that.

It ought to be a mixture of letters, numbers, and special characters. You can achieve this relatively simply by replacing some letters (e.g. I with 1, A with @) and adding punctuation marks (e.g. !, @, #, $, ?) to the beginning and end of your password.

Avoid using single dictionary words. One of the most common hacking methods is simply to cycle through dictionary words until they find a match. Combine multiple words in a phrase and add special characters to reduce this risk.

Ideally, you’ll use different passwords for each major system you log in to. ArsTechnica.com recently reported that, while the average web user has accounts with 25 websites, they only use, on average, 6.5 passwords to access them. That’s understandable; long and complicated passwords are tricky to remember. If you do have a large number, try using a dedicated password manager like LastPass or KeePass to store them.

#4. Keep your operating systems up to date

There’s a persistent myth out there that computers running Windows are inherently more vulnerable to cyber attacks and viruses. Yes, this was perhaps true with earlier versions of Windows (95 and 98, especially), but today it’s not the case. That is, so long as you’re keeping your system updated and installing security patches.

Yes, installing these updates can be irritatingly time-consuming. However, many updates involve fixing known bugs that create security vulnerabilities. So, if you’re skipping updates, then you risk becoming a sitting duck.

So, install those pesky operating system updates as soon as they’re made available. You should also try to stay on the most recent version of your operating system (right now that’s Windows 10 or, if you’re on a Mac, Sierra.

#5. Encrypt your hard drives

Steps #1 to #4 may seem relatively simple compared to hard drive encryption. However, given that it’s easier than ever to keep the contents of your computer secure, there are few excuses for not encrypting your most sensitive files. If you’re carrying around a laptop that contains sensitive client information, then it’s pretty much essential.

Encryption uses a formula to transform readable data into unreadable data. Decryption is the opposite process — converting the unreadable encrypted data back into readable information. So long as the decryption key is secure, so is the data. The technical details of encryption can be complicated, but fortunately, actually making use of it is relatively straightforward.

Both Windows computers and Macs come with a hard drive encryption option ready to enable (BitLocker and FileVault respectively). Both are pretty simple to get started with. There’s a handy guide over on Lawyerist.com to get you started.